Consul Connect CA w/ Vault


I’ve had a consul cluster operational for around a month now that is using consul connect ca setup with vault. Everything has been working well, but in the past few days I’ve experienced 2 cluster down type of events.

The first one was related to the vault token used in the consul connect ca configuration, it was created as a periodic vault token, but expired the other day, so I had to replace it and update consul config with a new one. I may have mistakenly been under the impression it’d automatically renew itself as it was used by consul.

The second issue encountered was around the cert that consul had generated in vault pki for us based on the consul connect ca config, it expired and we began getting "cannot satisfy request, as TTL would result in notAfter ‘’ that is beyond the expiration of the CA certificate at ‘’ ".

Is it by design that these 2 issues need to be handled manually by us periodically as part of our internal process or should I expect these things to renew and rotate with vault automatically from consul connect ca?

I’m kind of fearful increasing the TTL or doing anything on the vault pki mounts that consul connect ca created automatically for us due to me bricking the first consul cluster because I meddled with it on the vault side instead of through consul.

So far, it seems like I’ll need to manually perform a ‘consul connect ca set-config’ and have it setup new ca/intermediary pki mounts in vault for the 2nd issue I encountered?